Certbot - Multi Domain Certificates using X509 V3 SAN Fields

I’m having a bit of a problem with my Let’s Encrypt setup, and renewing my certificates.

Right now, I have a couple of domains set up on my VPS. All of these domains have Let’s Encrypt enabled for them, but the Common Name for every domain is a single domain. As an example:

I have a few domains, owenthe.ninja, o355.us, and survivalcraftmc.net. If I attempt to renew all three at once, the Common Name ends up usually being the first in the list, in such an example, owenthe.ninja, for all 3 certificates. Of course, this ends up becoming a problem with some browsers.

Since I run my renews with a cronjob every 1080 hours with letsencrypt renew, this becomes a problem for some browsers, as they think the certificate is invalid.

I’m basically wondering how I can have this setup:

owenthe.ninja - CN owenthe.ninja
survivalcraftmc.net - CN survivalcraftmc.net
and so on and so forth, and manage to do it in my cronjob (instead of doing each renewal one domain at a time in the GUI).

Hi @o355,

First of all, Common Name is deprecated, clients not supporting SANs are very old.

Regarding the common name deprecation you can check the RFC6125

   If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity.  Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used.  Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.

Right now you the common name of your certificate will be the first domain specified in the command line or the one specified using --cert-name param of certbot (formerly called letsencryp) client. I don't know what is the version of your client but the --cert-name param was included in the certbot client version 0.10.0.

Keep in mind that you can only have a common name per certificate, you can have till 100 names per certificate using SAN but only 1 common name so if you want a different common name for every certificate, you need to issue one certificate per the domain you need to appear in common name field.

Also, if you have problems with some clients that needs a comon name and don't accept SANs I suppose those clients will have issues with SNI support too so you will have problems if you are serving those domains from the same web server sharing the same ip.

Note: Also, in a future, as common name is deprecated, Let's Encrypt could change how the manage the common name field and put a random seriel namer instead of a domain name.


I get it now. I got a little scared after an old computer running OS X 10.7.5 was warning me about the CN not being the same as the real domain.

I’ll have to fool around with the --cert-name parameter. I like seeing in a web browser the certificate being “issued” to the same domain that I’m visiting. I actually didn’t know about Common Names getting depreciated for dNSName instead, and I’m assuming that’s why web browsers don’t raise an eyebrow when visiting my site, but correct me if I’m wrong.

Note that --cert-name does not control the CN field, but only where your certificate is saved in /etc/letsencrypt (or which certificate in /etc/letsencrypt you’re referring to when re-running Certbot).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.